It uses ajax to call wp_generate_password(). We could quite easily generate a password with JS only, but I figured that we should allow the filter in wp_generate_password() to be applied. Open to other opinions however.

I definitely like the first patch better (even if it needs a refresh). Using wp_generate_password() which allows filtering makes this more useful (especially on enterprise sites with specific password requirements)